!9970 CVE-2024-39503

MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);

/* When the nfnl mutex or ip_set_ref_lock is held: */

#define ip_set_dereference(p)		\

	rcu_dereference_protected(p,	\

#define ip_set_dereference(inst)	\

	rcu_dereference_protected((inst)->ip_set_list,	\

		lockdep_nfnl_is_held(NFNL_SUBSYS_IPSET) || \

		lockdep_is_held(&ip_set_ref_lock))

		lockdep_is_held(&ip_set_ref_lock) || \

		(inst)->is_deleted)

#define ip_set(inst, id)		\

	ip_set_dereference((inst)->ip_set_list)[id]

	ip_set_dereference(inst)[id]

#define ip_set_ref_netlink(inst,id)	\

	rcu_dereference_raw((inst)->ip_set_list)[id]

#define ip_set_dereference_nfnl(p)	\

		if (!list)

			goto cleanup;

		/* nfnl mutex is held, both lists are valid */

		tmp = ip_set_dereference(inst->ip_set_list);

		tmp = ip_set_dereference(inst);

		memcpy(list, tmp, sizeof(struct ip_set *) * inst->ip_set_max);

		rcu_assign_pointer(inst->ip_set_list, list);

		/* Make sure all current packets have passed through */

				    .len = IPSET_MAXNAMELEN - 1 },

};

/* In order to return quickly when destroying a single set, it is split

 * into two stages:

 * - Cancel garbage collector

 * - Destroy the set itself via call_rcu()

 */

static void

ip_set_destroy_set(struct ip_set *set)

ip_set_destroy_set_rcu(struct rcu_head *head)

{

	pr_debug("set: %s\n",  set->name);

	struct ip_set *set = container_of(head, struct ip_set, rcu);

	/* Must call it without holding any lock */

	set->variant->destroy(set);

	module_put(set->type->me);

	kfree(set);

}

static void

ip_set_destroy_set_rcu(struct rcu_head *head)

_destroy_all_sets(struct ip_set_net *inst)

{

	struct ip_set *set = container_of(head, struct ip_set, rcu);

	struct ip_set *set;

	ip_set_id_t i;

	bool need_wait = false;

	ip_set_destroy_set(set);

	/* First cancel gc's: set:list sets are flushed as well */

	for (i = 0; i < inst->ip_set_max; i++) {

		set = ip_set(inst, i);

		if (set) {

			set->variant->cancel_gc(set);

			if (set->type->features & IPSET_TYPE_NAME)

				need_wait = true;

		}

	}

	/* Must wait for flush to be really finished  */

	if (need_wait)

		rcu_barrier();

	for (i = 0; i < inst->ip_set_max; i++) {

		set = ip_set(inst, i);

		if (set) {

			ip_set(inst, i) = NULL;

			set->variant->destroy(set);

			module_put(set->type->me);

			kfree(set);

		}

	}

}

static int ip_set_destroy(struct sk_buff *skb, const struct nfnl_info *info,

	if (unlikely(protocol_min_failed(attr)))

		return -IPSET_ERR_PROTOCOL;

	/* Commands are serialized and references are

	 * protected by the ip_set_ref_lock.

	 * External systems (i.e. xt_set) must call

	 * ip_set_put|get_nfnl_* functions, that way we

	 * ip_set_nfnl_get_* functions, that way we

	 * can safely check references here.

	 *

	 * list:set timer can only decrement the reference

	 * without holding the lock.

	 */

	if (!attr[IPSET_ATTR_SETNAME]) {

		/* Must wait for flush to be really finished in list:set */

		rcu_barrier();

		read_lock_bh(&ip_set_ref_lock);

		for (i = 0; i < inst->ip_set_max; i++) {

			s = ip_set(inst, i);

		}

		inst->is_destroyed = true;

		read_unlock_bh(&ip_set_ref_lock);

		for (i = 0; i < inst->ip_set_max; i++) {

			s = ip_set(inst, i);

			if (s) {

				ip_set(inst, i) = NULL;

				/* Must cancel garbage collectors */

				s->variant->cancel_gc(s);

				ip_set_destroy_set(s);

			}

		}

		_destroy_all_sets(inst);

		/* Modified by ip_set_destroy() only, which is serialized */

		inst->is_destroyed = false;

	} else {

		features = s->type->features;

		ip_set(inst, i) = NULL;

		read_unlock_bh(&ip_set_ref_lock);

		/* Must cancel garbage collectors */

		s->variant->cancel_gc(s);

		if (features & IPSET_TYPE_NAME) {

			/* Must wait for flush to be really finished  */

			rcu_barrier();

		}

		/* Must cancel garbage collectors */

		s->variant->cancel_gc(s);

		call_rcu(&s->rcu, ip_set_destroy_set_rcu);

	}

	return 0;

}

static void __net_exit

ip_set_net_exit(struct net *net)

ip_set_net_pre_exit(struct net *net)

{

	struct ip_set_net *inst = ip_set_pernet(net);

	struct ip_set *set = NULL;

	ip_set_id_t i;

	inst->is_deleted = true; /* flag for ip_set_nfnl_put */

	nfnl_lock(NFNL_SUBSYS_IPSET);

	for (i = 0; i < inst->ip_set_max; i++) {

		set = ip_set(inst, i);

		if (set) {

			ip_set(inst, i) = NULL;

			set->variant->cancel_gc(set);

			ip_set_destroy_set(set);

		}

}

	nfnl_unlock(NFNL_SUBSYS_IPSET);

static void __net_exit

ip_set_net_exit(struct net *net)

{

	struct ip_set_net *inst = ip_set_pernet(net);

	_destroy_all_sets(inst);

	kvfree(rcu_dereference_protected(inst->ip_set_list, 1));

}

static struct pernet_operations ip_set_net_ops = {

	.init	= ip_set_net_init,

	.pre_exit = ip_set_net_pre_exit,

	.exit   = ip_set_net_exit,

	.id	= &ip_set_net_id,

	.size	= sizeof(struct ip_set_net),

	struct set_elem *e;

	int ret;

	list_for_each_entry(e, &map->members, list) {

	list_for_each_entry_rcu(e, &map->members, list) {

		if (SET_WITH_TIMEOUT(set) &&

		    ip_set_timeout_expired(ext_timeout(e, set)))

			continue;

	struct set_elem *e;

	int ret;

	list_for_each_entry(e, &map->members, list) {

	list_for_each_entry_rcu(e, &map->members, list) {

		if (SET_WITH_TIMEOUT(set) &&

		    ip_set_timeout_expired(ext_timeout(e, set)))

			continue;

	struct list_set *map = set->data;

	struct set_adt_elem *d = value;

	struct set_elem *e, *next, *prev = NULL;

	int ret;

	int ret = 0;

	list_for_each_entry(e, &map->members, list) {

	rcu_read_lock();

	list_for_each_entry_rcu(e, &map->members, list) {

		if (SET_WITH_TIMEOUT(set) &&

		    ip_set_timeout_expired(ext_timeout(e, set)))

			continue;

		if (d->before == 0) {

			ret = 1;

			goto out;

		} else if (d->before > 0) {

			next = list_next_entry(e, list);

			ret = !list_is_last(&e->list, &map->members) &&

		} else {

			ret = prev && prev->id == d->refid;

		}

		return ret;

		goto out;

	}

	return 0;

out:

	rcu_read_unlock();

	return ret;

}

static void

	/* Find where to add the new entry */

	n = prev = next = NULL;

	list_for_each_entry(e, &map->members, list) {

	list_for_each_entry_rcu(e, &map->members, list) {

		if (SET_WITH_TIMEOUT(set) &&

		    ip_set_timeout_expired(ext_timeout(e, set)))

			continue;

{

	struct list_set *map = set->data;

	struct set_adt_elem *d = value;

	struct set_elem *e, *next, *prev = NULL;

	struct set_elem *e, *n, *next, *prev = NULL;

	list_for_each_entry(e, &map->members, list) {

	list_for_each_entry_safe(e, n, &map->members, list) {

		if (SET_WITH_TIMEOUT(set) &&

		    ip_set_timeout_expired(ext_timeout(e, set)))

			continue;

list_set_destroy(struct ip_set *set)

{

	struct list_set *map = set->data;

	struct set_elem *e, *n;

	list_for_each_entry_safe(e, n, &map->members, list) {

		list_del(&e->list);

		ip_set_put_byindex(map->net, e->id);

		ip_set_ext_destroy(set, e);

		kfree(e);

	}

	WARN_ON_ONCE(!list_empty(&map->members));

	kfree(map);

	set->data = NULL;

	if (SET_WITH_TIMEOUT(set))

		timer_shutdown_sync(&map->gc);

	/* Flush list to drop references to other ipsets */

	list_set_flush(set);

}

static const struct ip_set_type_variant set_variant = {